From 01bbdc98d6e1a897111a93e0137dc41b0dd4e083 Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Wed, 10 Jul 2019 13:49:43 +0200
Subject: [PATCH] Modified GnuTLS priority according to standard crypto-policy
guideline
Edited TLS priority string default to conform to system-wide default
and align librelp behavior with other crypto-utilizing packages
---
src/tcp.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/src/tcp.c b/src/tcp.c
index bd9bf1d..36e8712 100644
--- a/src/tcp.c
+++ b/src/tcp.c
@@ -1136,20 +1136,29 @@ relpTcpTLSSetPrio_gtls(relpTcp_t *const pThis)
char pristringBuf[4096];
char *pristring;
ENTER_RELPFUNC;
- /* Compute priority string (in simple cases where the user does not care...) */
+ /* Set default priority string (in simple cases where the user does not care...) */
if(pThis->pristring == NULL) {
- if(pThis->bEnableTLSZip) {
- strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf));
- } else {
- strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf));
+ if (pThis->authmode == eRelpAuthMode_None) {
+ if(pThis->bEnableTLSZip) {
+ strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf));
+ } else {
+ strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf));
}
- pristringBuf[sizeof(pristringBuf)-1] = '\0';
- pristring = pristringBuf;
+ pristringBuf[sizeof(pristringBuf)-1] = '\0';
+ pristring = pristringBuf;
+ r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
+ } else {
+ r = gnutls_set_default_priority(pThis->session);
+ strncpy(pristringBuf, "to recommended system default", sizeof(pristringBuf));
+ pristringBuf[sizeof(pristringBuf)-1] = '\0';
+ pristring = pristringBuf;
+ }
+
} else {
pristring = pThis->pristring;
+ r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
}
- r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
if(r == GNUTLS_E_INVALID_REQUEST) {
ABORT_FINALIZE(RELP_RET_INVLD_TLS_PRIO);
} else if(r != GNUTLS_E_SUCCESS) {